'pip install allmydata-tahoe' now works
Sean Alexandre
sean at alexan.org
Mon Jun 30 16:58:11 UTC 2014
I'd like to understand this better too. There's this post that talks about the
general problem, but it's from 2012:
Signing and Verifying Python Packages with PGP
http://www.davidfischer.name/2012/05/signing-and-verifying-python-packages-with-pgp/
"To illustrate the security concerns, it is good to contrast how Python modules
are usually installed with how Apt or Yum do it for Linux distributions. Debian
and Redhat distros usually pre-provision the PGP keys for their packages with
the distribution. Provided you installed a legitimate Linux distribution, you
get the right PGP keys and every package downloaded through Apt/Yum is PGP
checked. This means that the package is signed using private key for that
distribution and you can verify that the exact package was signed and has not
been modified. The package manager checks this and warns you when it does not
match. Pip and Easy Install don’t do any of that... There are relatively few
packages on the cheeseshop (PyPI) that are PGP signed."
On Mon, Jun 30, 2014 at 03:07:21PM +0000, Leif Ryge wrote:
> Unfortunately (unless I'm missing something; I haven't investigated fully) the
> statement "'pip install allmydata-tahoe' now works" is rather dangerously
> misleading as it implies that that is a safe command to run on an
> internet-connected computer.
>
> Recent versions of pip verify SSL certificates and won't download over
> unencrypted HTTP unless you specifically tell it to. But, unless I'm mistaken,
> "pip install allmydata-tahoe" will still run tahoe's "setup.py build" which
> will brazenly download and execute unverified code.
>
> If I am mistaken (and I hope I am!) someone should close
> https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2055 ("Building tahoe safely is
> non-trivial").
>
> ~leif
>
> On Mon, Jun 30, 2014 at 06:58:30AM -0700, Callme Whatiwant wrote:
> > Huzzah!
> >
> > On Mon, Jun 23, 2014 at 12:47 PM, Brian Warner <warner at lothar.com> wrote:
> > > Just a heads up, the new Nevow-0.11.1 release a few days ago fixed
> > > tahoe's #2032, which means that you should now be able to install tahoe
> > > with just:
> > >
> > > pip install allmydata-tahoe
> > >
> > > That should grab all the necessary dependencies for you, including Twisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20140630/e4bce4f9/attachment-0001.pgp>
More information about the tahoe-dev
mailing list